Week 6 - Controls for information security, processing integrity controls PDF

Preview

Summary

Download Week 6 - Controls for information security, processing integrity controls PDF

Description

Friday, 6 September 2019

12:27 PM

Week 6 - Controls for information security, processing integrity controls Chapter 8 Chapter 10

Security - physical and logical access to the system and data controlled and restricted to users Confidentiality - sensitive organisational information protected from unauthorised disclosure Privacy - personal information is collected, used, disclosed, maintained only in compliance with internal policies and external regulatory requirements, and is protected from unauthorised disclosure Processing integrity - data are processed accurately, completely, in a timely manner, and only with proper authorisation Availability - system and information are available to meet operational and contractual obligations

2 fundamental concepts: a) Security is a management issue, not a technology one Senior management's decision is involved in all phases

REVISION Page 1

1. Assess threats and select risk response - Identify potential threats - Estimate impact and probability - Senior management's decision - Avoid, accept, reduce, share 2. Develop and communicate policy - Employees receive regular, periodic reminders of security policies and training on how to comply with them - Senior management's involvement and support - ensure information security training and communication are taken seriously 3. Acquire and implement solutions - Acquisition/building specific technological tools - Senior management's authorisation on investment of necessary resources to mitigate threats identified and achieve desired level of security 4. Monitor performance - Regularly monitoring performance and evaluate effectiveness of information security program - Management must reassess the risk response and make changes to information security policies, and invest in new solutions to ensure information security efforts support business strategy that is consistent with management's risk appetite b) Time-based model of information security P>D+R P - the amount of time an attacker breaks through preventive controls D - the amount of time to detect an attack R - the amount of time to respond to the attack and take corrective action The shorter the time on D and R, the better If P > D + R is satisfied, information security procedures is effective The problem is it is hard to derive accurate reliable measures of parameters P, D and R It is used for strategic analysis Understand targeted attacks

REVISION Page 2

Conduct Reconnaissance - Learn as much as possible about the target and identify vulnerabilities - Study physical layout of controls they have in place - Hackers collect information of their targets - Perusing financial statements, SEC filings, website, press release Attempt social engineering - Use deception to obtain unauthorised access to information resources - Impersonate executive - Pose as clueless temporary workers and ask for assistance - Spear phishing - Trojan horse embedded in USB drives Scan and map target - Identify potential points of remote entry through automated tools Research - Conduct research to find vulnerabilities of programs and know how to take advantage of vulnerabilities Execute attack - Take advantage of vulnerabilities to obtain unauthorised access to target's information system Cover tracks - Cover their tracks and create back door to obtain access if initial method of attack is discovered and eventually blocked

How to mitigate risk of attack? Preventive

- People • Create "security conscious" culture, where employees comply with security policies and lead by example • Training ○ Educate employees on social engineering attacks ○ Safe practices ○ Avoid piggybacking ○ Preventive control ○ Effective only if management demonstrates support to employees who follow security policies

REVISION Page 3

• User access controls ○ Authentication controls - verify identity of the person/device attempting to access the system ▪ Password/PIN, ID badges/card, biometric identifier (fingerprint, voice recognition, eye scan) ▪ Limitations: □ Passwords can be guessed, lost, written down, given away □ Biometrics are not 100% accurate, e.g. voice recognition when employee has sore throat □ Physical identification can be lost, stolen, duplicated ○ Multifactor authentication - 2 or more types of authentication in conjunction to achieve greater level of security ▪ e.g. Monash username and password, followed by OKTA verification ○ Multimodal authentication - multiple authorisation credentials of the same ○ They are better because they are independent to each other compromising one credential does not affect the probability of successfully compromising another ○ Authorisation controls - restricting access of authenticated users to specific portions of the system, limiting what they are permitted to perform - Process • Penetration testing - authorised attempt to break into the organisation's information system ○ The purpose is to identify where additional protections are most needed to increase time and effort required to compromise the system • Change controls and change environment - formal process used to ensure the modifications to hardware, software, or processes do not reduce systems reliability ○ Documentation - nature of change, rationale, date and outcome ○ Approval - of all change requests ○ Testing - to reduce risks of "bugs" disruptions ○ Develop "backout" plan - revert to previous configuration ○ Monitoring - during the change process to ensure proper segregation of duties is maintained - IT solutions • Anti-malware controls • Network access controls ○ Perimeter defense ▪ Routers - connects information systems to the internet ▪ Firewalls - controls inbound and outbound communication ▪ Intrusion prevention systems - monitors patterns in traffic flow to identify and automatically block attacks ○ Controlling access by filtering packets ▪ Access control lists ▪ Packet filtering ○ Defense in depth to restrict network access ○ Securing wireless access • Device and software hardening controls ○ Patch - code released by software developers that fixes a particular vulnerability ○ Hardening - modifying default configuration of endpoints to eliminate unnecessary settings and services ○ User account management

REVISION Page 4

○ Software design • Encryptions - achieve security principles of protecting confidentiality of organisational information and privacy of personal information • Parity bits - extra bit added to every character, then it can be checked for transmission accuracy - Physical security • Entry points to the building • Emergency exits should not permit entry from the outside, triggered with an alarm system • Rooms are securely locked • Entry/exit monitored by CCTV • Cables and wires should not be exposed in areas accessible to casual visitors • Use of key badges, biometric identifiers - identify situations likely to represent breaches

Detective

- Log analysis • Examine logs to identify evidence of possible attacks - Intrusion detection systems • A system that creates logs of all network traffic that was permitted to pass the firewall and then analyses these logs for signs of attempted or successful intrusions • It produces a warning alert when it detects a suspicious pattern of network traffic, and it is up to the human responsible to decide the course of action - Continuous monitoring • Both employee compliance with the organisation's information security policies and overall performance of business processes • Detective control that timely identify potential problems and identify opportunities to improve existing controls

Corrective/ Response

- Computer incident response teams (CIRT) - dealing with major security incidents 1. Recognise that a problem exists - IPS/IDS signals an alert 2. Containment of the problem - prompt action to stop it and contain damage 3. Recovery - restoring data from backup, reinstall corrupted programs 4. Follow-up - analysis of how the incident occurred - Minimise likelihood of similar incident occurring - Decision to catch and punish perpetrators (involving forensic reports) - Chief information security officer (CIRO) - understand company's technology environment design, implement and promote sound security policies and procedures

Security implications of Virtualisation, cloud computing, and internet of things 1. Virtualisation - running multiple systems simultaneously on one physical computer 2. Cloud computing - using a browser to remotely access software, data storage, hardware and applications They alter the risk of some information security threats, and can increase the risk of some threats Essentials: - Strong user access controls - Multifactor authentication - Physical access controls Internet of things - embedding of sensors in a multitude of devices so that those devices can now connect to the internet

REVISION Page 5

Input controls - Former design - Sequentially prenumbered - make it possible to verify no documents are missing - Turnaround document - record of company data sent to external party and then returned by the external party for subsequent input to the system - Cancellation and storage of source documents - Source docs that are entered into the system should be cancelled to prevent inadvertently or fraudulently reentered into the system - Data entry controls - Field check - Sign check - Limit check - Range check - Size check - Completeness check - Validity check - Reasonableness test - Batch processing - Sequencing check - whether transaction file is in the proper numerical or alphabetical sequence - Batch totals - calculate numeric values for a batch of input records - Financial total - field that contains monetary values - Has total - nonfinancial numeric field - Record count - number of records in a batch - Online data entry controls - Prompting - completeness check that requests each required item of input data and then waits for all acceptable response before requesting next required item - Closed loop verification - a method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data - Transaction log - reconstruct damaged file; ensure that transactions are not lost or entered twice if a malfunction shuts down the system

Processing controls - Data matching - 2 or more items must be matched before an action takes place - File labels - need to be checked to ensure that the most current and correct files are being updated - Recalculation of batch totals - batch totals must be recomputed as each transaction record is processed and the total for the batch should be compared to the values in the trailer record - Cross-footing - comparing the results produced by each method to verify accuracy - Zero-balance tests - verify the accuracy of processing that involves control accounts - Write-protection mechanisms - protect against overwriting or erasing data files stored on magnetic media - Concurrent update controls - prevent errors of 2 or more users updating the same record at the same time

Output controls - User review - verify the system output's reasonableness, completeness, and its intended recipients - Reconciliation - periodically all transactions and systems updates should be reconciled - Data transmission controls - Checksums - data transmission control that uses the hash of a file to verify accuracy

REVISION Page 6...